From 02cf13d8b93ac547b5b4c2cfe186b7d874fd234f Mon Sep 17 00:00:00 2001
From: Joe Becher <drazisil@users.noreply.github.com>
Date: Tue, 4 Feb 2020 10:41:09 -0500
Subject: [PATCH] [CE-1330] Escaping args (#167)

* Escaping args
---
 .gitignore         |  1 +
 lib/codecov.js     | 16 ++++++++++------
 package-lock.json  |  5 -----
 package.json       |  3 +--
 test/index.test.js |  6 ++++++
 5 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/.gitignore b/.gitignore
index 432d08da..d2eb52c5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@ node_modules
 
 lib-cov/
 coverage.json
+.vs-code
diff --git a/lib/codecov.js b/lib/codecov.js
index 0e850aa9..ad0cb2a2 100644
--- a/lib/codecov.js
+++ b/lib/codecov.js
@@ -5,7 +5,6 @@ var urlgrey = require('urlgrey')
 var jsYaml = require('js-yaml')
 var walk = require('ignore-walk')
 var execSync = require('child_process').execSync
-var validator = require('validator')
 
 var detectProvider = require('./detect')
 
@@ -394,13 +393,13 @@ var upload = function(args, on_success, on_failure) {
       if (!isWindows) {
         gcov =
           'find ' +
-          (args.options['gcov-root'] || root) +
+          (sanitizeVar(args.options['gcov-root']) || root) +
           " -type f -name '*.gcno' " +
           gcg +
           ' -exec ' +
-          (validator.escape(args.options['gcov-exec']) || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (validator.escape(args.options['gcov-args']) || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' {} +'
       } else {
         // @TODO support for root
@@ -409,9 +408,9 @@ var upload = function(args, on_success, on_failure) {
           'for /f "delims=" %g in (\'dir /a-d /b /s *.gcno ' +
           gcg +
           "') do " +
-          (args.options['gcov-exec'] || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (args.options['gcov-args'] || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' %g'
       }
       debug.push(gcov)
@@ -556,7 +555,12 @@ var upload = function(args, on_success, on_failure) {
   }
 }
 
+function sanitizeVar(arg) {
+  return arg.replace(/&/g, '')
+}
+
 module.exports = {
+  sanitizeVar: sanitizeVar,
   upload: upload,
   version: version,
   sendToCodecovV2: sendToCodecovV2,
diff --git a/package-lock.json b/package-lock.json
index 13376090..d3ff0bf0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6148,11 +6148,6 @@
         "spdx-expression-parse": "^3.0.0"
       }
     },
-    "validator": {
-      "version": "12.2.0",
-      "resolved": "https://registry.npmjs.org/validator/-/validator-12.2.0.tgz",
-      "integrity": "sha512-jJfE/DW6tIK1Ek8nCfNFqt8Wb3nzMoAbocBF6/Icgg1ZFSBpObdnwVY2jQj6qUqzhx5jc71fpvBWyLGO7Xl+nQ=="
-    },
     "verror": {
       "version": "1.10.0",
       "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",
diff --git a/package.json b/package.json
index cc7a839e..7ff6aded 100644
--- a/package.json
+++ b/package.json
@@ -35,8 +35,7 @@
     "ignore-walk": "3.0.3",
     "js-yaml": "3.13.1",
     "teeny-request": "6.0.1",
-    "urlgrey": "0.4.4",
-    "validator": "12.2.0"
+    "urlgrey": "0.4.4"
   },
   "devDependencies": {
     "eslint": "^5.16.0",
diff --git a/test/index.test.js b/test/index.test.js
index 7e2c92fb..7fd11431 100644
--- a/test/index.test.js
+++ b/test/index.test.js
@@ -276,4 +276,10 @@ describe('Codecov', function() {
     expect(res.query.yaml).toBe(process.cwd() + '/foo.yml')
     mockFs.restore()
   })
+
+  it('can sanitize inputs', function() {
+    expect(codecov.sanitizeVar('real & run unsafe & command')).toEqual(
+      'real  run unsafe  command'
+    )
+  })
 })